February 2013 | Technology/ABA TECHSHOW 2013
Thus starts the story of Mat Honan, a writer for Wired Magazine. Mat’s story should be a cautionary tale for all, especially lawyers whose duties to maintain the confidentiality of client data extend the need for added security beyond just personal inconvenience. Mat admits that much of what happened could have been avoided by using two-factor authentication on his Google account and other security measures. So, why didn’t he do it? Because adding layers of security means adding a layer of complication, and sometimes inconvenience. However, to unravel from a firm security breach or hack would be even more inconvenient.
Google’s Gmail, Google Chrome, LastPass, Dropbox, WordPress and many other popular services have added an extra layer of security that a user must enable called “two-factor authentication”. Gmail, Google’s widely used and free online email platform, was one of the first of the consumer cloud products to offer two-factor authentication. Since most online accounts require an email address, which often act as a user name, locking down your Gmail account with a really strong, unique-to-that-account password and turning on two-factor authentication will go a long way in reducing risk. Why? Because as Mat Honan explains, he had his online accounts “daisy chained” together with shared usernames, passwords and associated email.
What is Two-Factor Authentication?
Setting Up Two-Factor Authentication in Google
“But, wait…” you will start to say. Don’t worry, some handy options make this foolproof and not at all onerous! As a tertiary precaution, Google supplies you with a one-time list of printable backup codes so that if your phone is unavailable you can still sign into your account. They suggest keeping the codes somewhere accessible, like your wallet. Also, you can create a list of trusted computers, like your home and work computers, which will not require the SMS code to access Google. In this way your usual workflow is not disrupted. Just check “trust this computer” the first time you enter the verification code and you will not have to enter the code again. However, for your portable devices, it would probably be wise to keep 2-step verification enabled. The primary goal here is to keep outsiders from hacking your Google account, not to make it difficult to use your own technology!
Other Google products that are not compatible with 2-step verification work outside of the browser, such as Google Voice mobile app for iPhone, some chat clients and Chrome Sync. For these, you will need to create an application-specific password. From the 2-step verification setup screen, click on “Manage application-specific passwords”. Enter the name of the application, such as “Chrome at Home” or “GVoice on Phone,” then click “generate password”. Enter the newly generated password in place of your regular password, and voilà. From that same page, you can see which applications have these auto-generated passwords, and can revoke access at any time. This page also shows you sites, apps and services that you have granted access to your Google account, what they have permission to access, and you can revoke access with a click.
Setting Up Two-Factor Authentication in Dropbox
Setting Up Two-Factor Authentication in LastPass
Catherine Sanders Reach is the director of law practice management and technology for the Chicago Bar Association.
LAW PRACTICE TODAY
Micah U Buchdahl, HTMLawyers, Inc
Andrea Malone, White and Williams LLP
BOARD OF EDITORS
John D. Bowers, Fox Rothschild LLP
Margaret M. DiBianca, Young Conaway Stargatt & Taylor, LLP
Nicholas Gaffney, Infinite Public Relations, LLC
Nancy L Gimbol, Eastburn & Gray
Richard W Goldstein, Goldstein Patent Law
Katy M. Goshtasbi, Puris Image
William D Henslee, Florida A&M Univ College of Law
Allison C. Shields, Legal Ease Consulting, Inc.
Gregory H. Siskind, Siskind Susser, P.C.
Send us your feedback here.